Analysis
-
max time kernel
128s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 03:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://mail.com
Resource
win10v2004-20240508-en
General
-
Target
http://mail.com
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625493981265993" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2232 chrome.exe 2232 chrome.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2232 chrome.exe 2232 chrome.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeShutdownPrivilege 2232 chrome.exe Token: SeCreatePagefilePrivilege 2232 chrome.exe Token: SeManageVolumePrivilege 4448 svchost.exe Token: SeShutdownPrivilege 5020 svchost.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe 2232 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 AccountsControlHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 920 2232 chrome.exe 89 PID 2232 wrote to memory of 920 2232 chrome.exe 89 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 4044 2232 chrome.exe 91 PID 2232 wrote to memory of 2188 2232 chrome.exe 92 PID 2232 wrote to memory of 2188 2232 chrome.exe 92 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93 PID 2232 wrote to memory of 5052 2232 chrome.exe 93
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mail.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff852f1ab58,0x7ff852f1ab68,0x7ff852f1ab782⤵PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:22⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:82⤵PID:2188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:82⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:12⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:12⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:82⤵PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 --field-trial-handle=1920,i,14137199003078567687,3461215307598189371,131072 /prefetch:82⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:81⤵PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9d26064eh916bh4d45hbc80h1b0075ab2f191⤵PID:4448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\system32\CredentialEnrollmentManager.exeC:\Windows\system32\CredentialEnrollmentManager.exe1⤵PID:400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe"C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ba0e632515a1bc44ba42c815145745ee
SHA139c9460255d47909aa83989ff8636643885e28a4
SHA2560be48f5151b4650409af3c1e44523235f2ee2081fe032e1f9ce9ee10940402ba
SHA5126e6815903ebaf9e0f9416299a2601500c809516f1bcc72fcbec5c7ab7f88ab290712184c5f6131807071690346fb36fa3dd373228853c0183ccaab666de5f357
-
Filesize
811B
MD5a7269af6ca1de04f5580976744d88606
SHA16caeb01eb622ef54ac10c1d8a945656c74dc2db9
SHA256ba1fc291c624a6610993d62258314f021a5384a5d09f6e59a088eb6f44a3efc5
SHA512c5696c501517380b2badcc3ea6761e738064a85e5a4ef00f6984ee9d2c5a3b1e86479000087730610cf40b63815a01eeac059909b308c72020fdde000c497c68
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD56602bec4ed24b607f5966e4a4faa5a5e
SHA195390204fd55bdda6a46e61c76120342cbe69d99
SHA256702a409c1160f07b320e8a6df5b8ac1007434405d70e189843bd875f722f511c
SHA51207e6a977569661b62192d558a27acffa58a3a40ef91405a3cdffdbcbfa2d32338bb4226716b4f243833133c0cab9e184f06fa4819246390bb533c82af75fcaa9
-
Filesize
255KB
MD581252b39dc93e32d7cf45028bf0bca9d
SHA18a787ee7ba634bed28c43c60c1eb149f1b795edf
SHA2564b0fbd04bc3ca25462c756b791507dd5c52d82f78d0e672c733581a964be6309
SHA512683e4de8a7500c4283a97cd12280b9fac764fb1b7bcfd3216e6dea2941a5baeb9bca7058734f5f7894aed95a5f0d5db03a5d85b3b4e153153d589f253c759f2c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58